CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-20616
https://notcve.org/view.php?id=CVE-2022-20616
Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file. El plugin Jenkins Credentials Binding versiones 1.27 y anteriores, no lleva a cabo una comprobación de permisos en un método que implementa la comprobación de formularios, que permite a atacantes con acceso Overall/Read comprobar si un ID de credencial es referido a una credencial de archivo secreto y si es un archivo zip • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2342 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2182 – jenkins-credentials-binding-plugin: improper masking of secrets
https://notcve.org/view.php?id=CVE-2020-2182
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. Jenkins Credentials Binding Plugin versiones 1.22 y anteriores, no enmascara (es decir, reemplazar con asteriscos) los secretos que contienen un carácter "$" en algunas circunstancias. • http://www.openwall.com/lists/oss-security/2020/05/06/3 https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835 https://access.redhat.com/security/cve/CVE-2020-2182 https://bugzilla.redhat.com/show_bug.cgi?id=1847348 • CWE-222: Truncation of Security-relevant Information CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2181 – jenkins-credentials-binding-plugin: information disclosure in build log when build contains no build steps
https://notcve.org/view.php?id=CVE-2020-2181
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. Jenkins Credentials Binding Plugin versiones 1.22 y anteriores, no enmascara (es decir, reemplazar con asteriscos) los secretos en el registro de compilación cuando la compilación contiene pasos sin compilar. • http://www.openwall.com/lists/oss-security/2020/05/06/3 https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1374 https://access.redhat.com/security/cve/CVE-2020-2181 https://bugzilla.redhat.com/show_bug.cgi?id=1847341 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000057
https://notcve.org/view.php?id=CVE-2018-1000057
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password. Jenkins Credentials Binding Plugin, en versiones 1.14 y anteriores, oculta las contraseñas que proporciona para construir procesos en sus archivos de registro de builds. Sin embargo, Jenkins transforma los valores de contraseña proporcionados, por ejemplo, reemplazando las referencias de variables de entorno, lo que podría resultar en que los valores sean diferentes pero similares a contraseñas configuradas que se entregan a la build. • https://jenkins.io/security/advisory/2018-02-05 • CWE-522: Insufficiently Protected Credentials •